Microsoft is launching a new anti-phishing measure that will issue a warning to users when their system credentials are pasted into documents and websites.
Malware and phishing campaigns can be used to obtain an organization’s login details and deal all kinds of damage, from stealing sensitive data to sell on the dark web, to gaining insights about business partners and spreading their attack further.
Enhanced phishing protection
Initially, the enhanced phishing protection only warned users when they manually typed their password into a document or website, but since many use password managers to store their credentials, they can copy and paste it instead.
> What is phishing and how dangerous is it?
> UPS discloses data breach after exposing customer information used in SMS phishing
> Phishing scams are on the rise in Google Docs – here’s what you need to know
However, with Windows Insider Preview Build 23506, copying and pasting your Windows password is now detected. In the release notes for the release, Microsoft says, “We’re trying to make a change starting with this release where users will see…a UI warning about insecure password copy-and-paste, just as they currently see them when typing in their password.”
To enable the feature, preview build users need to go to Windows Security under Application and browser control > Reputation-based protection > Phishing protection and enable all checkboxes.
When you then copy and paste your Windows password into a website, a dialog will appear warning you of the dangers of password reuse, and recommending you change your local Windows account password with a link to take you straight to Settings to do so. Or you can choose to dismiss the warning.
However, the sleeping computer notes that the feature does not seem to work when pasting the password into some third-party applications, such as Notepad2 and Notepad++, which can be commonly used to enter credentials.
The warning also doesn’t work if you’re using the company’s passwordless sign-in feature, Windows Hello, where biometrics or a PIN are used to grant you access instead. A password must be used to log into Windows so that it is stored in system memory and therefore referenced against the pasted text.
- Here is the best password manager for business to keep your credentials secure